On Thu, Jul 28, 2022 at 07:47:15PM +0200, Vitaly Zaitsev via devel wrote:
> On 26/07/2022 20:05, Chris Murphy wrote:
> > Summary: Windows 10/11 increasingly enables Bitlocker (full disk
> > encryption) out of the box with the encryption key sealed in the TPM. Two
> > different issues result:
>
> Microsoft has published a new security bulletin on the current state of
> Secure Boot:
> https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process
>
> The most important note:
>
> > Secured-core PCs require Secure Boot to be enabled and configured to
> > distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide
> > customers with the most secure configuration of their PCs possible.
>
> TL;DR. The new certified by Microsoft devices will be able to load only
> Microsoft Windows in the UEFI Secure Boot enabled mode.
I read that as meaning there are two different certifications
* "Certified For Windows PCs" - the traditional behaviour we've known,
where the 3rd party UEFI CA is enabled by defualt
* "Secured-core PCs" - a new certification promoted as a more secure
out of the box setup, where 3rd party UEFI CA is disabled by default
This doesn't mean that everything is suddenly going to be 'Secure-cored"
and thus prevent use of shim out of the box.
This other doc gives more details
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/OEM-highly-secure-11
[quote]
Microsoft works closely with OEM partners to help ensure that all certified
Windows systems deliver a secure operating environment. Windows integrates
closely with the hardware to deliver protections that take advantage of
available hardware capabilities:
* Baseline Windows security – recommended baseline for all individual
systems that provides foundational system integrity protections.
Leverages TPM 2.0 for a hardware root of trust, secure boot and
BitLocker drive encryption.
* Virtualization-based security enabled – leverages virtualization
capabilities from hardware and the hypervisor to provide additional
protection for critical subsystems and data.
* Secured-core – recommended for the most sensitive systems and
industries like financial, healthcare, and government agencies.
Builds on the previous layers and leverages advanced processor
capabilities to provide protection from firmware attacks.
[/quote]
An open question is just how widely the OEM hardware vendors will
deploy "Secured core" hardware in practice. If they only do this
for enterprise hardware they sell with Windows pre-installed, then
it might not become a big deal, as those running Linux will typically
opt out of Windows pre-install. If they deploy 'Secured core' across
all hardware, both consumer and enterprise, and/or regardless of OS
preinstall choice, then it will become more of a pain for consumers
wanting to run Linux.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
